The February theft of a laptop computer that held sensitive data on human subjects has led NIH to take several steps to prevent such a violation from happening again.
In a memo to all staff on Apr. 9, NIH director Dr. Elias Zerhouni said the theft had placed renewed focus on the necessity of encrypting portable electronic devices, and, according to chief information officer Dr. Jack Jones, NIH is redoubling efforts to encrypt laptops currently
He said Zerhouni’s message to the NIH community
“certainly helped raise awareness and get the word out,” and it emphasized the importance of “100 percent compliance” with privacy and information security measures and policy. Other key points of the message were that NIH conducted a review and certification
of all laptops to ensure that all those that can be encrypted are in fact encrypted, that NIH will begin random audits for compliance
with existing HHS encryption policy for laptops and other portable media, and that NIH has identified laptops that cannot be encrypted
at this time—primarily
Macintosh laptops. Currently, Macs cannot be used to store sensitive information due to a lack of approved software, but they can be used for sensitive
data analysis, provided
that the data are stored on an encrypted removable
Zerhouni also listed specific
requirements for other
devices, including USB drives and BlackBerrys, and he gave examples of sensitive and non-sensitive data.
In addition to the steps described in the memo, Dr. Raynard Kington, NIH deputy director, sent a letter to institute and center directors calling
for policy changes regarding laptop security, and Jones will be preparing a new policy requiring
that all computer equipment is received, configured and encrypted by IC IT staff before it is delivered to IC end users. Jones also gave a presentation to NIH’s executive officers soliciting
their support for new security initiatives at NIH. The IT community has now ensured the encryption of more than 12,000 laptops.
Property Risk Mitigation with nVision Property
Did you know that nVision Property Reports can help mitigate your property risks? nVision provides relevant information on laptops and other property that you need to monitor and track. Specifically, the Property Search (Prop-02) report displays detailed property information that can be searched by a large variety of selection criteria.
But before you can view these reports, you must first register for access to nVision
Property and it is recommended that you attend a training class.
If you would like to register for nVision Property or attend training, visit the nVision community page at https://my.nih.gov. Select nVision from the My Communities menu.
If you are already registered for nVision Property, access Property Search (Prop-02) and other property reports from the nVision community page at https://my.nih.gov. Select nVision from the My Communities menu and then click on Launch Reports.
If you have questions or need customer support, contact the NIH Help Desk at ITHelpDesk@mail.nih.gov or call (301) 496-4357.
According to Jones, the stolen laptop was used by an investigator who took it home to work after hours. The investigator’s laptop hadn’t been encrypted because his lab had been experiencing
difficulties with computer encryption that they were working to overcome. Then, due to an oversight, “the laptop was not encrypted even after those problems were resolved, and neither the investigator nor the relevant information
technology staff followed up on the matter, as they should have,” Jones said.
The laptop held information on more than 3,000 patients in an NHLBI clinical research project and included Social Security numbers for more than 1,200 of those patients.
Dr. Michael Gottesman, NIH deputy director for intramural research, said that going forward,
in addition to assuring the encryption of all computers containing sensitive data and dramatically reducing the amount of personally identifiable information and sensitive data on any laptops, “we need to educate our staff about the seriousness of breaches of private information
and find new ways to work on data without
the need to download them into portable computers.” He said that IT and human subjects staffs need to “work closely together to guarantee
a rapid and uniform response to these kinds of breaches.”
Jones said NIH employees can learn more by talking to IT support staff, information system
security officers and the NIH Help Desk. FAQs on NIH computer encryption can be found at http://kiwi.cit.nih.gov/pointsec/index.php/FAQ.